216.73.217.80

CVE-2025-66300

· Published 01/12/2025 22:15 · Modified 03/12/2025 15:45

Labels: CVE-2025-66300 2025-12-01CVE-2025-66300CWE-22[email protected]

Essential information

Published
01/12/2025 22:15
Modified
03/12/2025 15:45
Author
Creator
CVSS
8.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

CVSS metrics

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. This includes Grav user account files (/grav/user/accounts/*.yaml), which store hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. This vulnerability is fixed in 1.8.0-beta.27.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
getgrav / grav cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta13:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta14:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta15:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta16:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta17:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta18:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta19:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta2:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta20:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta21:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta22:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta23:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta24:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta25:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta26:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta3:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta4:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta5:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta6:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta7:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta8:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta9:*:*:*:*:*:*

References